only allow me on users

coadler · coadler · commit 2a61e73d53d9 · 2022-03-31T13:22:39.000-05:00
diff --git a/coderd/httpmw/httpmw.go b/coderd/httpmw/httpmw.go
@@ -21,7 +21,7 @@ func parseUUID(rw http.ResponseWriter, r *http.Request, param string) (uuid.UUID
 	}
 
 	// Automatically set uuid.Nil to the acting users id.
-	if rawID == "me" {
+	if param == UserKey && rawID == "me" {
 		key := APIKey(r)
 		return key.UserID, true
 	}
diff --git a/coderd/httpmw/userparam.go b/coderd/httpmw/userparam.go
@@ -9,6 +9,8 @@ import (
 	"github.com/coder/coder/coderd/httpapi"
 )
 
+const UserKey = "user"
+
 type userParamContextKey struct{}
 
 // UserParam returns the user from the ExtractUserParam handler.
@@ -24,7 +26,7 @@ func UserParam(r *http.Request) database.User {
 func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			userID, ok := parseUUID(rw, r, "user")
+			userID, ok := parseUUID(rw, r, UserKey)
 			if !ok {
 				return
 			}

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ func parseUUID(rw http.ResponseWriter, r *http.Request, param string) (uuid.UUID`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`// Automatically set uuid.Nil to the acting users id.`
`24`		`- if rawID == "me" {`
	`24`	`+ if param == UserKey && rawID == "me" {`
`25`	`25`	`key := APIKey(r)`
`26`	`26`	`return key.UserID, true`
`27`	`27`	`}`